Thanks a lot for the reply.. In the case of IE during the generation (generatePKCS10) we can set an option that whether we want to enable/disable the export of private key. And when I did that and tried to export the certificate from IE,the private key export option was disabled in the wizard.
But in Mozilla , i used SPKAC , so there is no way to specify an option like that.its that i want to know if we can do something while generating the certificate in openssl that we set an option to disable the private key export in the certificate so that the we cannot backup or export the private key from the Mozilla > Certificate Manager > Your Certificate > Back Up option. As I understand from your reply that Mozilla do not support an option like that. So as the next option, can openssl help in disabling the private key export while we sign the certificate request. 2009/7/15 Dr. Stephen Henson <st...@openssl.org> > On Tue, Jul 14, 2009, tito wrote: > > > Hi all , > > > > I have used SPKAC format to request a digital certificate from mozilla > and > > signed the request with my master key from open ssl and imported it to my > > mozilla. I can readily export (backup)the private key + certificate from > > mozilla and import it to some other system's mozilla browser.I dont want > > this to happen.I dont want the private key to be exported. is there any > > option in openssl to disable this. > > > > > > This isn't anything to do with OpenSSL. The key is generated on the client. > Windows CryptoAPI (as used by MSIE et al) provides an option to make the > private key unexportable but Mozilla AFAIK doesn't. > > The concept of "unexportable" without a HSM is rather doubtful anyway and > is > more security by obscurity: if you know how the key is stored you can > extract > it anyway. With CryptoAPI you don't even need to do that... > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
